When using OIDC authentication in Azure Government with Github Actions, AzureRM is calling the incorrect API of api://AzureADTokenExchange

[ais-craiggoheen]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.9.8

AzureRM Provider Version

4.1.0

Affected Resource(s)/Data Source(s)

Terraform Plan

Terraform Configuration Files

name: Deploy Terraform with OIDC
on: [push]

permissions:
id-token: write # Require write permission to Fetch an OIDC token.
contents: read
pull-requests: write

jobs:
plan:
runs-on: ubuntu-latest
steps:
- name: Login to Azure US Gov Cloud with OIDC
uses: azure/login@v2
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
environment: 'AzureUSGovernment'
audience: api://AzureADTokenExchangeUSGov

- name: Checkout
  uses: actions/checkout@v4

- name: Setup Terraform
  uses: hashicorp/setup-terraform@v3
  with:
    terraform_version: 1.9.8

- name: Terraform fmt
  id: fmt
  run: terraform fmt -check

- name: Terraform init
  id: init
  run: terraform init
  env:
    ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
    ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
    ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
    ARM_USE_OIDC: true
    ARM_USE_AZURE_AD: true
    ARM_ENVIRONMENT: 'usgovernment'      

- name: Terraform validate
  id: validate
  run: terraform validate -no-color

- name: Terraform plan
  id: plan
  run: |
    export TF_LOG=DEBUG
    terraform plan -no-color
  env:
    ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
    ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
    ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
    ARM_USE_OIDC: true
    ARM_USE_AZURE_AD: true
    ARM_ENVIRONMENT: 'usgovernment'

Debug Output/Panic Output

2024-11-18T21:53:11.561Z [DEBUG] provider.terraform-provider-azurerm_v4.1.0_x5: [DEBUG] Configuring built-in cloud environment by name: "usgovernment"
2024-11-18T21:53:11.563Z [DEBUG] provider.terraform-provider-azurerm_v4.1.0_x5: [DEBUG] GET https://pipelinesghubeus5.actions.githubusercontent.com/RFlMx1kLBD46SLNGGeDAXvbSPaNqWfa2NKKMSH9mQ9UOoEir0l/00000000-0000-0000-0000-000000000000/_apis/distributedtask/hubs/Actions/plans/0780a3f0-29df-4982-abec-680ec21f651e/jobs/9201c218-890e-5ac0-5321-fee64b687d25/idtoken?api-version=2.0&audience=api%3A%2F%2FAzureADTokenExchange
2024-11-18T21:53:11.714Z [DEBUG] provider.terraform-provider-azurerm_v4.1.0_x5: [DEBUG] POST https://login.microsoftonline.us/***/oauth2/v2.0/token
Error: -18T21:53:12.061Z [ERROR] provider.terraform-provider-azurerm_v4.1.0_x5: Response contains error diagnostic: tf_provider_addr=registry.terraform.io/hashicorp/azurerm tf_req_id=e02bdcb8-277f-5922-96bd-3126f01fd47b tf_rpc=Configure @caller=github.com/hashicorp/terraform-plugin-go@v0.23.0/tfprotov5/internal/diag/diagnostics.go:58 @module=sdk.proto diagnostic_detail="" diagnostic_severity=ERROR diagnostic_summary="building account: could not acquire access token to parse claims: clientCredentialsToken: received HTTP status 401 with response: {"error":"invalid_client","error_description":"AADSTS700212: No matching federated identity record found for presented assertion audience 'api://AzureADTokenExchange'. Please note that the matching is done using a case-sensitive comparison. Please check your federated identity credential Subject, Audience and Issuer against the presented assertion. https://learn.microsoft.com/entra/workload-id/workload-identity-federation Trace ID: c158280b-344c-4b63-8827-7376e3
Error: -18T21:53:12.061Z [ERROR] vertex "provider["registry.terraform.io/hashicorp/azurerm"]" error: building account: could not acquire access token to parse claims: clientCredentialsToken: received HTTP status 401 with response: {"error":"invalid_client","error_description":"AADSTS700212: No matching federated identity record found for presented assertion audience 'api://AzureADTokenExchange'. Please note that the matching is done using a case-sensitive comparison. Please check your federated identity credential Subject, Audience and Issuer against the presented assertion. https://learn.microsoft.com/entra/workload-id/workload-identity-federation Trace ID: c158280b-344c-4b63-8827-7376e32e0600 Correlation ID: 2ac8090e-3b27-43ff-b6d1-8f1a4f76523b Timestamp: 2024-11-18 21:53:12Z","error_codes":[700212],"timestamp":"2024-11-18 21:53:12Z","trace_id":"c158280b-344c-4b63-8827-7376e32e0600","correlation_id":"2ac8090e-3b27-43ff-b6d1-8f1a4f76523b"}
2024-11-18T21:53:12.061Z [WARN] Planning encountered errors, so plan is not applyable
2024-11-18T21:53:12.062Z [INFO] backend/local: plan operation completed
Planning failed. Terraform encountered an error while generating this plan.
Error: building account: could not acquire access token to parse claims: clientCredentialsToken: received HTTP status 401 with response: {"error":"invalid_client","error_description":"AADSTS700212: No matching federated identity record found for presented assertion audience 'api://AzureADTokenExchange'. Please note that the matching is done using a case-sensitive comparison. Please check your federated identity credential Subject, Audience and Issuer against the presented assertion. https://learn.microsoft.com/entra/workload-id/workload-identity-federation Trace ID: c158280b-344c-4b63-8827-7376e32e0600 Correlation ID: 2ac8090e-3b27-43ff-b6d1-8f1a4f76523b Timestamp: 2024-11-18 21:53:12Z","error_codes":[700212],"timestamp":"2024-11-18 21:53:12Z","trace_id":"c158280b-344c-4b63-8827-7376e32e0600","correlation_id":"2ac8090e-3b27-43ff-b6d1-8f1a4f76523b"}
with provider["registry.terraform.io/hashicorp/azurerm"],
on provider.tf line 10, in provider "azurerm":
10: provider "azurerm" {

Expected Behaviour

api://AzureADTokenExchange should actually be api://AzureADTokenExchangeUSGov

Actual Behaviour

Errors because wrong API is called.

Steps to Reproduce

1.terraform plan

Important Factoids

Running Github Action to Azure US Government with OIDC Token

References

No response

[ais-craiggoheen]

Issue has been resolve. The specific issue is that ARM_ENVIRONMENT: 'usgovernment' has quotes. Removing the quotes so that you have ARM_ENVIRONMENT: usgovernment resolves the issue.